fix: finally remove need to chown and still run as non-root

2022-11-22 13:49:03 +01:00 · 2022-11-22 13:49:03 +01:00 · e1934a992b
commit e1934a992b
parent 15db6cc3a5
5 changed files with 154 additions and 20 deletions
--- a/13
+++ b/13
@ -11,7 +11,6 @@ CF_DIST := E1YFUJXMCXT2RN
 BUILDER_RELEASE = $(shell echo $(BUILDER) | sed -e 's/-.*$$//')
 RELEASE := $(shell echo $(BUILDER_RELEASE) | sed -e 's/\.[0-9]$$//')

-.PHONY: apk aports download upload packages invalidate_cdn

 aarch64-toolchain:
 	@podman run -it --rm \
@ -22,33 +21,29 @@ aarch64-toolchain:
 		-v ${HOME}/.abuild/:/home/alpine/.abuild:ro \
 		$(REGISTRY)/$(IMAGE):$(TAG) aarch64-toolchain

-packages: reset-permissions
+packages:
 	mkdir -p packages/kubezero/aarch64 packages/kubezero/x86_64

 distfiles:
 	mkdir -p distfiles

-aports: reset-permissions
+aports:
 	@[ -d aports/.git ] && { cd aports; git pull origin $(BUILDER_RELEASE); }
 	@[ -d aports/.git ] || { git clone https://gitlab.alpinelinux.org/alpine/aports.git && \
 	  cd aports && git checkout $(BUILDER_RELEASE); }

 apk: packages distfiles
 	podman run -it --rm --platform linux/$(_ARCH) \
+		--userns=keep-id:uid=1000,gid=1000 \
 		-v ${PWD}/distfiles:/var/cache/distfiles \
 		-v ${PWD}/packages:/home/alpine/packages \
 		-v ${PWD}/aports:/home/alpine/aports \
 		-v ${PWD}/kubezero:/home/alpine/kubezero \
 		-v ${HOME}/.gitconfig/:/home/alpine/.gitconfig:ro \
 		-v ${HOME}/.abuild/:/home/alpine/.abuild:ro \
+		--env DEBUG=$(DEBUG) \
 		$(REGISTRY)/$(IMAGE):$(BUILDER) $(PKG)

-reset-permissions:
-	@[ -d aports ] && doas chown -R $(USER): aports
-	@[ -d distfiles ] && doas chown -R $(USER): distfiles
-	@[ -d packages ] && doas chown -R $(USER): packages
-	@[ -d kubezero ] && doas chown -R $(USER): kubezero
-
 download:
 	aws s3 sync s3://zero-downtime-web/cdn/alpine/$(RELEASE)/kubezero/x86_64/ packages/kubezero/x86_64/ --exclude APKINDEX.tar.gz
 	aws s3 sync s3://zero-downtime-web/cdn/alpine/$(RELEASE)/kubezero/aarch64/ packages/kubezero/aarch64/ --exclude APKINDEX.tar.gz
--- a/11
+++ b/11
@ -3,17 +3,8 @@ set -e

 [ -n "$DEBUG" ] && set -x

-if [ -d  ~/.abuild ]; then
-  doas cp ~/.abuild/*.rsa.pub /etc/apk/keys/
-fi
-
-for f in ~/packages /var/cache/distfiles ~/aports; do
-  [ -d $f ] && doas chown -R alpine:abuild $f
-done
-
 doas apk update

-
 if [ "$1" = 'aarch64-toolchain' ]; then
  aarch64-toolchain.sh

@ -44,8 +35,6 @@ else
  fi

  for pkg in ~/$1; do
-    doas chown -R alpine:abuild $(dirname $pkg)
-
    # If checksum is OK, build package
    APKBUILD=$pkg abuild verify && rc=$? || rc=$?
    if [ $rc -eq 0 ]; then
--- a/kubezero/zdt-base/APKBUILD
+++ b/kubezero/zdt-base/APKBUILD
@ -0,0 +1,35 @@
+# Contributor: Stefan Reimer <stefan@zero-downtime.net>
+# Maintainer: Stefan Reimer <stefan@zero-downtime.net>
+pkgname=zdt-base
+pkgver=0.0.1
+pkgrel=0
+pkgdesc="ZeroDownTime Alpine additions and customizations"
+url="https://git.zero-downtime.net/ZeroDownTime/alpine-overlay/src/branch/master/kubezero/zdt-base"
+arch="noarch"
+license="AGPL-3.0"
+depends=""
+options="!check"
+subpackages="$pkgname-aws"
+
+source="route53.py
+        get_iam_sshkeys.py
+        "
+
+build() {
+  return 0
+}
+
+package() {
+  mkdir -p "$pkgdir"
+}
+
+aws() {
+  mkdir -p "$subpkgdir"
+	install -Dm755 "$srcdir"/route53.py "$subpkgdir"/usr/sbin/route53.py
+	install -Dm755 "$srcdir"/get_iam_sshkeys.py "$subpkgdir"/usr/sbin/get_iam_sshkeys.py
+}
+
+sha512sums="
+2d419d5c25a3829e99326b09876f459e48ab66f5756a8ad39b406c0f2829f5a323e8ff512afd8f32b7b07f24c88efa911bee495ce6c4d1925194cb54d3ba57bd  route53.py
+00eaff6c0a506580340b2547c3b1602a54238bac6090a15516839411478a4b4fdc138668b8ad23455445131f3a3e3fda175ed4bb0dd375402641c0e7b69c3218  get_iam_sshkeys.py
+"
--- a/kubezero/zdt-base/get_iam_sshkeys.py
+++ b/kubezero/zdt-base/get_iam_sshkeys.py
@ -0,0 +1,63 @@
+#!/usr/bin/python3
+import sys
+import boto3
+import argparse
+
+parser = argparse.ArgumentParser(description="Get SSH keys from IAM users")
+parser.add_argument(
+    "--user", dest="user", action="store", required=True, help="requested user"
+)
+parser.add_argument(
+    "--group", action="store", required=True, help="IAM group to search"
+)
+parser.add_argument(
+    "--iamRole",
+    dest="iamRole",
+    action="store",
+    help="IAM role ARN to assume to search for IAM users",
+)
+parser.add_argument(
+    "--allowedUser",
+    dest="allowedUsers",
+    action="append",
+    default=["alpine"],
+    help="Allowed users",
+)
+args = parser.parse_args()
+
+# Fail early if invalid user
+if not args.user in args.allowedUsers:
+    sys.exit(0)
+
+session = boto3.Session()
+
+if args.iamRole:
+    sts = session.client("sts")
+    credentials = sts.assume_role(
+        RoleArn=args.iamRole, RoleSessionName="sshdKeyLookup"
+    )["Credentials"]
+
+    assumed_role_session = boto3.Session(
+        aws_access_key_id=credentials["AccessKeyId"],
+        aws_secret_access_key=credentials["SecretAccessKey"],
+        aws_session_token=credentials["SessionToken"],
+    )
+    iam = assumed_role_session.client("iam")
+
+else:
+    iam = session.client("iam")
+
+try:
+    for user in iam.get_group(GroupName=args.group)["Users"]:
+        for key_desc in iam.list_ssh_public_keys(UserName=user["UserName"])[
+            "SSHPublicKeys"
+        ]:
+            key = iam.get_ssh_public_key(
+                UserName=user["UserName"],
+                SSHPublicKeyId=key_desc["SSHPublicKeyId"],
+                Encoding="SSH",
+            )
+            if key["SSHPublicKey"]["Status"] == "Active":
+                print(key["SSHPublicKey"]["SSHPublicKeyBody"], user["UserName"])
+except:
+    pass
--- a/kubezero/zdt-base/route53.py
+++ b/kubezero/zdt-base/route53.py
@ -0,0 +1,52 @@
+#!/usr/bin/env python3
+import sys
+import boto3
+import json
+import argparse
+
+
+def update_dns(record_name, ips=[], ttl=180, action="UPSERT", record_type='A'):
+    route53 = boto3.client("route53")
+    zone_id = route53.list_hosted_zones_by_name(
+        DNSName=".".join(record_name.split(".")[1:])
+    )["HostedZones"][0]["Id"]
+
+    changeset = {
+        "Changes": [
+            {
+                "Action": action,
+                "ResourceRecordSet": {
+                    "Name": record_name,
+                    "Type": record_type,
+                    "TTL": ttl,
+                    "ResourceRecords": [],
+                },
+            }
+        ]
+    }
+    for ip in ips:
+        changeset["Changes"][0]["ResourceRecordSet"]["ResourceRecords"].append(
+            {"Value": ip}
+        )
+
+    route53.change_resource_record_sets(HostedZoneId=zone_id, ChangeBatch=changeset)
+
+
+parser = argparse.ArgumentParser(description='Update Route53 entries')
+parser.add_argument('--fqdn', dest='fqdn', action='store', required=True,
+                    help='FQDN for this record')
+parser.add_argument('--record', action='append', required=True,
+                    help='Value of a record')
+parser.add_argument('--type', dest='record_type', action='store', default='A',
+                    help='Record type')
+parser.add_argument('--ttl', dest='ttl', action='store', default=180, type=int,
+                    help='TTL of the entry')
+parser.add_argument('--delete', dest='delete', action='store_true',
+                    help='delete entry')
+
+args = parser.parse_args()
+action = "UPSERT"
+if args.delete:
+    action = "DELETE"
+
+update_dns(args.fqdn, args.record, action=action, ttl=args.ttl, record_type=args.record_type)